MCPcopy
hub / github.com/containerd/containerd / platformSpecOpts

Method platformSpecOpts

internal/cri/server/container_create.go:595–639  ·  view source on GitHub ↗

platformSpecOpts adds additional runtime spec options that may rely on runtime information (rootfs mounted), or platform specific checks with no defined workaround (yet) to specify for other platforms.

(
	platform imagespec.Platform,
	config *runtime.ContainerConfig,
	imageConfig *imagespec.ImageConfig,
)

Source from the content-addressed store, hash-verified

593// runtime information (rootfs mounted), or platform specific checks with
594// no defined workaround (yet) to specify for other platforms.
595func (c *criService) platformSpecOpts(
596 platform imagespec.Platform,
597 config *runtime.ContainerConfig,
598 imageConfig *imagespec.ImageConfig,
599) ([]oci.SpecOpts, error) {
600 var specOpts []oci.SpecOpts
601
602 // First deal with the set of options we can use across platforms currently.
603 // Linux user strings have workarounds on other platforms to avoid needing to
604 // mount the rootfs, but on Linux hosts it must be mounted
605 //
606 // TODO(dcantah): I think the seccomp package can be made to compile on
607 // !linux and used here as well.
608 if platform.OS == "linux" {
609 // Set container username. This could only be done by containerd, because it needs
610 // access to the container rootfs. Pass user name to containerd, and let it overwrite
611 // the spec for us.
612 securityContext := config.GetLinux().GetSecurityContext()
613 userstr, err := util.GenerateUserString(
614 securityContext.GetRunAsUsername(),
615 securityContext.GetRunAsUser(),
616 securityContext.GetRunAsGroup())
617 if err != nil {
618 return nil, fmt.Errorf("failed to generate user string: %w", err)
619 }
620 if userstr == "" {
621 // Lastly, since no user override was passed via CRI try to set via OCI
622 // Image
623 userstr = imageConfig.User
624 }
625 if userstr != "" {
626 specOpts = append(specOpts, oci.WithUser(userstr))
627 }
628 }
629
630 // Now grab the truly platform specific options (seccomp, apparmor etc. for linux
631 // for example).
632 ctrSpecOpts, err := c.containerSpecOpts(config, imageConfig)
633 if err != nil {
634 return nil, err
635 }
636 specOpts = append(specOpts, ctrSpecOpts...)
637
638 return specOpts, nil
639}
640
641// buildContainerSpec build container's OCI spec depending on controller's target platform OS.
642func (c *criService) buildContainerSpec(

Callers 2

createContainerMethod · 0.95
TestProcessUserFunction · 0.80

Implementers 1

criServiceinternal/cri/server/service.go

Calls 3

containerSpecOptsMethod · 0.95
GenerateUserStringFunction · 0.92
WithUserFunction · 0.92

Tested by 1

TestProcessUserFunction · 0.64